Thursday, March 16, 2006
Department of Hapless Security
Today, the Washington Post reported that government agencies fared poorly in the House Government Reform Committee's annual report card on computer security, with the federal government as a whole getting a "D+". The Departments of Commerce, Housing and Urban Development, Treasury, and the Nuclear Regulatory Commission all received grades of "D", while the Departments of Agriculture, Defense, Energy, Health and Human Services, the Interior, Justice, State, and Veterans' Affairs all received an "F". (DoE and the USDA have the notable distinction of having failed every year for the last five years.)
Also solidly in the "F" category is the Department of Homeland Security – for the third year running. This is especially troubling because, aside from minding its own cyber-security, DHS has the duty to keep all government agencies' computers safe from hackers, thieves and terrorists. Physician, heal thyself.
The committee based its grades on how well the agencies met the Federal Information Security Mangement Act, which requires agencies to implement a range of computer security measures, from restricting access to reporting breaches. However, according to one computer security expert quoted in the Post, agencies are wasting nearly all of their funding on bureaucratic paperwork, instead of protecting their systems: "Most [agencies] are spending so much on the paperwork exercises that they don't have a lot of money left over to fix the problems they've identified."
The individual agencies have no comparative advantage in specialized internal security (even the DoJ falls flat), and DHS's three years of failure show that it is too thinly stretched to do the job. The solution lies in an independent cyber-security auditing board, responsible for testing the security of the government's computer systems. It would eliminate redundant operations and reduce the agencies' costs, allowing the agencies to focus on implementing the auditors' recommendations within their core missions. Most importantly, there would be clear accountability.
There ought to be a law. —GAHjr
Also solidly in the "F" category is the Department of Homeland Security – for the third year running. This is especially troubling because, aside from minding its own cyber-security, DHS has the duty to keep all government agencies' computers safe from hackers, thieves and terrorists. Physician, heal thyself.
The committee based its grades on how well the agencies met the Federal Information Security Mangement Act, which requires agencies to implement a range of computer security measures, from restricting access to reporting breaches. However, according to one computer security expert quoted in the Post, agencies are wasting nearly all of their funding on bureaucratic paperwork, instead of protecting their systems: "Most [agencies] are spending so much on the paperwork exercises that they don't have a lot of money left over to fix the problems they've identified."
The individual agencies have no comparative advantage in specialized internal security (even the DoJ falls flat), and DHS's three years of failure show that it is too thinly stretched to do the job. The solution lies in an independent cyber-security auditing board, responsible for testing the security of the government's computer systems. It would eliminate redundant operations and reduce the agencies' costs, allowing the agencies to focus on implementing the auditors' recommendations within their core missions. Most importantly, there would be clear accountability.
There ought to be a law. —GAHjr
